Denial of Service Guide

Issue Description

A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A DoS attack may be distributed among many sources making it a Distributed Denial of Service (DDoS) attack which can be very difficult to defend against. Some of the largest private and government websites and resources on the Internet have been taken down by DDoS attacks.

The most common type of DoS attacks are perpetrated by consuming resources such as bandwidth, memory, disk space, or processor time. The methods used to achieve these effects can vary greatly.

Vulnerabilities Causing DDoS Attacks

It's safe to say that most customers would not be part of a DDoS attack by choice. If your server is vulnerable to or currently part of a DDoS attack it will require action on your part to correct the issue to prevent it from happening or to stop it and prevent it from happening again.

Reflection

There are a number of very commonly known vulnerabilities that can cause your server to be part of a DDoS attack by what's called 'reflection'. This involves sending forged requests to a very large number of computers only to have those computers reply to the forged requests. When forging the requests the target of the attack is used as the source IP address which means all the replies will go to (and flood) the target.

Some services will actually reply to requests with more data than they received which is an opportunity for the attacker to amplify the attack against their target. They will use services that not only reflect packets back to spoofed sources but services that increase the amount of data sent to the target of the attack.

The services listed above are ordered with the highest amplification possible at the top and least at the bottom. The NetBIOS and BitTorrent protocols only amplify by a factor of approximately 4 but the NTP protocol will amplify traffic up to 550 times the amount originally sent. This means that sending 10 bytes of data to a misconfigured NTP server from a spoofed source could result in 5500 bytes sent to the target of the attack. Doing this thousands of times a minute with hundreds of reflectors involved could easily affect availability of services for the target of the attack.

Compromised account running malicious program

In some less common cases, a compromised user account or even a compromised website can be used to run malicious programs to perform denial of service attacks. In such case our article to diagnose Outbound Hostile Traffic might help you.